CVE-2024-32962: xml-crypto vulnerable to XML signature verification bypass due improper verification of signature/signature spoofing
Default configuration does not check authorization of the signer, it only checks the validity of the signature per section 3.2.2 of https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation. As such, without additional validation steps, the default configuration allows a malicious actor to re-sign an XML document, place the certificate in a <KeyInfo /> element, and pass xml-crypto default validation checks.
References
- github.com/advisories/GHSA-2xp3-57p7-qf4v
- github.com/node-saml/xml-crypto
- github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000
- github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca
- github.com/node-saml/xml-crypto/discussions/399
- github.com/node-saml/xml-crypto/pull/301
- github.com/node-saml/xml-crypto/pull/445
- github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v
- nvd.nist.gov/vuln/detail/CVE-2024-32962
Detect and mitigate CVE-2024-32962 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →